* Terje Bless wrote:
>It's a good chance that stuff like auth-proxying only works on Apache, which
>would mean that we're trying to be "generic CGI" but in practice we only work
>on Apache. That would mean we're limiting our options in «check» needlessly.
You can make IIS pass HTTP_AUTHORIZATION to a Perl script just like you
can do it with Apache. You can also run ActiveState's ISAPI Perl filter
and replace checking %ENV for it with some code specific to that. I did
not say it runs out of the box and is feature complete, but it works. I
should also note that this feature is uninteresting for local installs.
>Oh, sorry, I'd thought the perceived benefits of mod_perl would be obvious.
There are benefits in using it, whether there are real relevant benefits
that justify a dependency on it is a different question. We would
already benefit from a number of mod_perl features that do not require
to write any mod_perl specific code.
>Being a persistent environment you'd eliminate a whole mess of per-invocation
>overhead, and you'd have deeper access to the server innards if you need it.
>One example of which — that's related to Apache2, not mod_perl as such — would
>be that we could offload SSI processing to the mod_include output filter
>instead of doing pseudo-SSI internally in our code.
That might be possible, it might also be possible to get rid of that
through other means. Though I should note that this could be used in
combination with I18N and/or escaping bugs to inject malicious SSI
directives that allow to read local files.
>I was looking for a list of linux distributions, commercial UN*X variants,
>etc.; and what versions of these are currently relevant in terms of deployed
>base. The intent being to investigate what minimum versions of various
>dependencies they ship to determine what we can safely require.
I am not convinced that "standard packages" are relevant to our users,
it seems perfectly reasonable to me to expect users to install the
latest software if they want to use the latest Validator features. I
will most certainly not enjoy arguments about our dependencies that
include mentioning "standard packages" for some Linux or BSD dists.